Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2024 23:30
Behavioral task
behavioral1
Sample
c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe
-
Size
144KB
-
MD5
c9d8a1567baec7320f844d6415560ae5
-
SHA1
9adf3ba3b223a7c2ed10b68b7df74b150137b400
-
SHA256
84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689
-
SHA512
f7b93cbd8694f0536a3b45c4f9164543ca5e3f178aa3281e5470f4ce9809fcb2a8aa6df1118f1e6d70f7172b38fe4226dfd4d68f35ff17fc07a6599aba44d9d7
-
SSDEEP
3072:bltrbkFEEqOWYnLdLfD/g5fVVqZZ5lYkj:bvwFEEqPYnLtf74DqZ+0
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
acliprop.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 acliprop.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE acliprop.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies acliprop.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 acliprop.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exec9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exeacliprop.exeacliprop.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acliprop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acliprop.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
acliprop.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix acliprop.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" acliprop.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" acliprop.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
acliprop.exepid process 2032 acliprop.exe 2032 acliprop.exe 2032 acliprop.exe 2032 acliprop.exe 2032 acliprop.exe 2032 acliprop.exe 2032 acliprop.exe 2032 acliprop.exe 2032 acliprop.exe 2032 acliprop.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exepid process 3156 c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exeacliprop.exedescription pid process target process PID 1632 wrote to memory of 3156 1632 c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe PID 1632 wrote to memory of 3156 1632 c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe PID 1632 wrote to memory of 3156 1632 c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe PID 2056 wrote to memory of 2032 2056 acliprop.exe acliprop.exe PID 2056 wrote to memory of 2032 2056 acliprop.exe acliprop.exe PID 2056 wrote to memory of 2032 2056 acliprop.exe acliprop.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\c9d8a1567baec7320f844d6415560ae5_JaffaCakes118.exe--6304abef2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:3156
-
C:\Windows\SysWOW64\acliprop.exe"C:\Windows\SysWOW64\acliprop.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\acliprop.exe--7c297a142⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2032